Cloud VPN Overview

Introduction

Cloud VPN securely connects your on-premises network to your
Google Cloud Platform (GCP)
Virtual Private Cloud (VPC) network
through an IPsecVPN
connection. Traffic traveling between the two networks is encrypted by one VPN
gateway, then decrypted by the other VPN gateway. This protects your data as it
travels over the Internet.

Uses
ESP in Tunnel mode
with authentication. Cloud VPN does not support
AH
or ESP in Transport mode.
Note that Cloud VPN does not perform policy-related filtering on
incoming authentication packets. Outgoing packets are filtered based
on the IP range configured on the Cloud VPN gateway.

Choosing VPN for hybrid networking

See How to choose an Interconnect type
to determine whether to use Cloud VPN, Cloud Interconnect – Dedicated
or Cloud Interconnect – Partner as your hybrid networking connection to
GCP. This page also covers what type of VPN scenarios
Cloud VPN supports.

Terminology

The following terms are used throughout the VPN documentation:

Project ID

The ID of your GCP project. This is not the project name,
which is the user-created friendly name of your project. To find the ID, see
the Project ID
column in the GCP Console. For more information, see Identifying
Projects.

IKE is the protocol used for authentication and to negotiate a session key for
encrypting traffic.

Note: Cloud VPN always initiates IKE. If two Cloud VPN
gateways are involved, either can act as the IKE initiator.

Cloud VPN gateway

A virtual VPN gateway
running in GCP managed by Google, using a configuration you
specify in your project. Each Cloud VPN gateway is a regional
resource using a regional external IP address. A Cloud VPN gateway
can connect to an on-premises VPN gateway or another Cloud VPN
gateway.

On-premises VPN gateway

The VPN gateway not in GCP, connected to a
Cloud VPN gateway, can be a physical device in your data center
or a physical or software-based VPN offering in another cloud provider's
network. Cloud VPN instructions are written from the point of view
of your VPC network, so the “on-premises gateway” is the
gateway connecting to Cloud VPN.

VPN tunnel

A VPN tunnel connects two VPN gateways and serves as a virtual medium through
which encrypted traffic is passed. Two VPN tunnels must be established to
create a connection between two VPN gateways: Each tunnel defines the
connection from the perspective of its gateway, and traffic can only pass once
the pair of tunnels is established.

Tunnel routing options

Cloud VPN offers three different routing methods for VPN tunnels:

Dynamic (BGP) routing

A Cloud Router can manage routes for a Cloud VPN tunnel using
Border Gateway Protocol
(BGP) if the
corresponding or on-premises VPN gateway supports it. This routing method
allows for routes to be updated and exchanged without changing the tunnel
configuration. Routes to GCP subnets are exported to the on-premises VPN
gateway, and routes to on-premises subnets learned from the on-premises VPN
gateway are applied to your VPC network, both according to
the dynamic routing option of the
network. Dynamic routing is recommended because it does not require that
tunnels be re-created when routes change.

Policy based routing

With this routing option, you specify remote network IP ranges and local
subnets when creating the Cloud VPN tunnel. From the perspective
of Cloud VPN, the remote network IP ranges are the “right side,”
and the local subnets are the “left side” of the VPN tunnel.
GCP automatically creates static routes for each of the
remote network ranges when the tunnel is created. When creating the
corresponding tunnel at the on-premises VPN gateway, the right and left
side ranges are reversed.

Route based VPN

With this routing option, you only specify the remote network IP ranges (right
side). All incoming traffic is accepted through the tunnel, subject to routes
you create manually.

Note: Some literature refers to the left and right side subnet ranges as
encryption domains.

If IP address ranges for on-premise subnets overlap with IP addresses used
by subnets in your VPC network, refer to
Order of routes
to determine how routing conflicts are resolved.

Each Cloud VPN gateway must be connected to another
Cloud VPN gateway or an on-premises VPN gateway.

The on-premises VPN gateway must have a static external IP address. You'll
need to know its IP address in order to configure Cloud VPN.

If your on-premises VPN gateway is behind a firewall, you must configure
the firewall to pass ESP (IPSec) protocol and IKE (UDP 500 and UDP 4500)
traffic to it. If the firewall provides Network Address Translation (NAT),
refer to UDP encapsulation and NAT-T.

Cloud VPN only supports a pre-shared key (shared secret) for
authentication. You must specify a shared secret when you create the
Cloud VPN tunnel. This same secret must be specified when creating
the tunnel at the on-premises gateway. Refer to these guidelines for creating
a strong shared secret.

To account for ESP overhead, you may need to set the MTU values for
systems sending traffic through the tunnel to lower values. Refer to
MTU Considerations for a detailed
discussion and recommendations.

Cloud VPN requires that the on-premises VPN gateway be configured
to support prefragmentation. Packets must be fragmented before being
encapsulated.

Cloud VPN uses replay detection with a window of 4096 packets. You
cannot turn this off.

Maintenance for Cloud VPN is a normal, operational task that may
happen at any time without prior notice. Maintenance periods are designed to be
short enough so that the Cloud VPN SLA is not impacted.

You can design highly available VPN configurations by using multiple tunnels.
Some strategies for doing this are discussed on the Redundant and
High-throughput VPNs page.

UDP encapsulation and NAT-T

Cloud VPN only supports one-to-one NAT via UDP encapsulation for
NAT-Traversal (NAT-T). One-to-many NAT and port-based address translation are
not supported. In other words, Cloud VPN cannot connect to
multiple on-premises or peer VPN gateways that share a single public IP address.

When using one-to-one NAT, an on-premises VPN gateway must be configured to
identify itself using a public IP address, not its internal (private) address.
When you configure a Cloud VPN tunnel to connect to an on-premises
VPN gateway, you specify an external IP address. Cloud VPN expects
an on-premises VPN gateway to use its external IP address for its identity.